Server-supported malware detection and protection
First Claim
Patent Images
1. A method comprising:
- receiving, at a first server, a first file attribute from a first computing device, the first file attribute associated with a first file, the first server comprising a first trained classification model and a first prediction cache;
determining at the first server, based on the first file attribute, that a classification for the first file indicating whether the first file is benign or malicious is unavailable at the first prediction cache;
subsequent to determining that the classification for the first file is unavailable at the first prediction cache, sending the first file attribute from the first server to a master server to determine whether the classification for the first file is available at a base prediction cache of the master server;
subsequent to sending the first file attribute from the first server to the master server, receiving a notification at the first server from the master server that the classification for the first file is unavailable at the base prediction cache;
in response to receiving the notification, determining the classification for the first file at the first server by performing, at the first server, an analysis of a second file attribute based on the first trained classification model, wherein the second file attribute is associated with the first file and is requested by the first server from the first computing device after receiving the notification, and wherein the second file attribute is distinct from the first file attribute and distinct from an entirety of the first file;
sending the classification determined at the first server from the first server to the first computing device; and
sending at least the classification determined at the first server from the first server to the master server for storage in the base prediction cache and for transmission from the master server to at least one second computing device via at least one second server responsive to receipt of the first file attribute from the at least one second computing device via the at least one second server.
2 Assignments
0 Petitions
Accused Products
Abstract
A method includes receiving, at a server, a first file attribute from a computing device, the first file attribute associated with a file. The method also includes determining, based on the first file attribute, that a classification for the file is unavailable. The method further includes determining the classification for the file based on a trained file classification model accessible to the server and sending the classification to the computing device. The method includes sending at least the classification to a base prediction cache associated with a second server.
-
Citations
20 Claims
-
1. A method comprising:
-
receiving, at a first server, a first file attribute from a first computing device, the first file attribute associated with a first file, the first server comprising a first trained classification model and a first prediction cache; determining at the first server, based on the first file attribute, that a classification for the first file indicating whether the first file is benign or malicious is unavailable at the first prediction cache; subsequent to determining that the classification for the first file is unavailable at the first prediction cache, sending the first file attribute from the first server to a master server to determine whether the classification for the first file is available at a base prediction cache of the master server; subsequent to sending the first file attribute from the first server to the master server, receiving a notification at the first server from the master server that the classification for the first file is unavailable at the base prediction cache; in response to receiving the notification, determining the classification for the first file at the first server by performing, at the first server, an analysis of a second file attribute based on the first trained classification model, wherein the second file attribute is associated with the first file and is requested by the first server from the first computing device after receiving the notification, and wherein the second file attribute is distinct from the first file attribute and distinct from an entirety of the first file; sending the classification determined at the first server from the first server to the first computing device; and sending at least the classification determined at the first server from the first server to the master server for storage in the base prediction cache and for transmission from the master server to at least one second computing device via at least one second server responsive to receipt of the first file attribute from the at least one second computing device via the at least one second server. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A processor-readable storage device storing instructions that, when executed, cause a processor to perform operations comprising:
-
receiving, at a first server, a first file attribute from a first computing device, the first file attribute associated with a first file, the first server comprising a first trained classification model and a first prediction cache; determining at the first server, based on the first file attribute, that a classification for the first file indicating whether the first file is benign or malicious is unavailable at the first prediction cache; subsequent to determining that the classification for the first file is unavailable at the first prediction cache, sending the first file attribute from the first server to a master server to determine whether the classification for the first file is available at a base prediction cache of the master server; subsequent to sending the first file attribute from the first server to the master server, receiving a notification at the first server from the master server that the classification for the first file is unavailable at the base prediction cache; in response to receiving the notification, determining the classification for the first file at the first server by performing, at the first server, an analysis of a second file attribute based on the first trained classification model, wherein the second file attribute is associated with the first file and is requested by the first server from the first computing device after receiving the notification, and wherein the second file attribute is distinct from the first file attribute and distinct from an entirety of the first file; sending the classification determined at the first server from the first server to the first computing device; and sending at least the classification determined at the first server from the first server to the master server for storage in the base prediction cache and for transmission from the master server to at least one second computing device via at least one second server responsive to receipt of the first file attribute from the at least one second computing device via the at least one second server. - View Dependent Claims (13, 14, 15, 16)
-
-
17. A system comprising:
-
a master server comprising a base prediction cache and a base trained classification model; a first enterprise server communicably coupled to at least a first computing device, the first enterprise server comprising a first prediction cache and a first trained classification model; and a second enterprise server communicably coupled to at least a second computing device, the second enterprise server comprising a second prediction cache and a second trained classification model, the first enterprise server configured to perform operations comprising; receiving a first file attribute from the first computing device, the first file attribute associated with a file; determining, based on the first file attribute, that a classification for the file indicating whether the file is benign or malicious is unavailable at the first prediction cache; subsequent to determining that the classification for the file is unavailable at the first prediction cache, sending the first file attribute to the master server to determine whether the classification for the file is available at the base prediction cache; in response to receiving from the master server a notification that the classification is unavailable at the base prediction cache, sending a request to the first computing device for a second file attribute that is associated with the file, wherein the second file attribute is distinct from the first file attribute and distinct from an entirety of the file; determining the classification for the file by performing an analysis of the second file attribute based on the first trained classification model; sending the classification to the first computing device; and sending at least the classification to the master server; and the master server configured to perform operations comprising; storing the classification received from the first enterprise server in the base prediction cache; and after storing the classification in the base prediction cache, sending the stored classification to the second computing device via the second enterprise server responsive to receiving the first file attribute from the second computing device via the second enterprise server. - View Dependent Claims (18, 19, 20)
-
Specification